summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2017-12-26 17:03:47 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2017-12-26 17:03:47 +0000
commit0deb1899c4c9fb07332ac3f5ea0bd1370f3f522d (patch)
treed9d7f0adbfdcfdf26a385354d9d8ff1caf7b263b
parent3f21b398f8d8d07f969afa002173422ce18bf657 (diff)
As the divert-to pf state is not connected, it is not linked to the
incpb and so not removed when the socket is closed. Packets matching reply and reply-to states are linked to the sockets immediately. So these states must go away when the socket is closed. Check this with the output of "pfctl -s states" after running the Perl scripts.
-rw-r--r--regress/sys/net/pf_divert/Makefile51
1 files changed, 42 insertions, 9 deletions
diff --git a/regress/sys/net/pf_divert/Makefile b/regress/sys/net/pf_divert/Makefile
index 345fc50d2a4..497561aa13d 100644
--- a/regress/sys/net/pf_divert/Makefile
+++ b/regress/sys/net/pf_divert/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.19 2017/12/18 17:01:27 bluhm Exp $
+# $OpenBSD: Makefile,v 1.20 2017/12/26 17:03:46 bluhm Exp $
# The following ports must be installed for the regression tests:
# p5-IO-Socket-INET6 object interface for AF_INET and AF_INET6 domain sockets
@@ -151,12 +151,23 @@ run-regress-${inet}-${a:R}: ${a}
.endif
.endfor
+STATE_EXIST_tcp_to = !
+STATE_EXIST_udp_to =
+STATE_EXIST_rip_to =
+STATE_EXIST_tcp_reply = !
+STATE_EXIST_udp_reply = !
+STATE_EXIST_rip_reply = !
+STATE_EXIST_tcp_reply-to = !
+STATE_EXIST_udp_reply-to = !
+STATE_EXIST_rip_reply-to = !
+
.for proto in tcp udp rip
.for first second in to to to reply to reply-to reply to reply reply reply reply-to reply-to to reply-to reply reply-to reply-to
run-regress-${inet}-reuse-${proto}-${first}-${second}:
@echo '\n======== $@ ========'
+ # create state with ${first} divert rule
time ${SUDO} SUDO=${SUDO} KTRACE=${KTRACE} \
perl ${PERLINC} ${PERLPATH}remote.pl -f ${inet} \
${LOCAL_${addr}} ${FAKE_${addr}} ${REMOTE_SSH} \
@@ -164,38 +175,60 @@ run-regress-${inet}-reuse-${proto}-${first}-${second}:
sed -n '/^connect peer:/s/.* //p' client.log >client.port
sed -n '/^connect sock:/s/.* //p' client.log >server.port
.if "tcp" == ${proto}
-.if "reply" == ${first}
+ # drop client tcp socket still in time wait to allow reuse
+.if "reply" == ${first} || "reply-to" == ${first}
${SUDO} tcpdrop \
${LOCAL_${addr}} `cat client.port` \
${FAKE_${addr}} `cat server.port`
-.endif
-.if "to" == ${first}
+.else # "to" == ${first}
+ # tcp socket is in time wait so state must still exist
+ ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | \
+ egrep 'all ${proto} ${FAKE_${addr}}:?\[?'`cat client.port`\]?' .. ${LOCAL_${addr}}:?\[?'`cat server.port`'\]? '
ssh ${REMOTE_SSH} ${SUDO} tcpdrop \
${FAKE_${addr}} `cat client.port` \
${LOCAL_${addr}} `cat server.port`
+ # divert-to state disappeared when the tcp socket was dropped
+ ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | ! \
+ egrep 'all ${proto} ${FAKE_${addr}}:?\[?'`cat client.port`\]?' .. ${LOCAL_${addr}}:?\[?'`cat server.port`'\]? '
.endif
.endif
+.if "to" == ${first}
+.if "tcp" == ${proto}
+ # divert-to state has disappeared as tcp socket is always connected
+.else
+ # divert-to state still exists as the socket is unconnected
+.endif
+.else
+ # divert-reply state has disappeared when the connected socket closed
+.endif
+ ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | ${STATE_EXIST_${proto}_${first}} \
+ egrep ' (tcp|udp|254) ${FAKE_${addr}}[][0-9:]* .. ${LOCAL_${addr}}[][0-9:]* '
+ # create state again with ${second} divert rule
time ${SUDO} SUDO=${SUDO} KTRACE=${KTRACE} \
perl ${PERLINC} ${PERLPATH}remote.pl ${inet} \
${LOCAL_${addr}} ${FAKE_${addr}} ${REMOTE_SSH} \
`cat client.port` `cat server.port` \
${PERLPATH}args-${proto}-${second}.pl
.if "tcp" == ${proto}
-.if "reply" == ${second}
+.if "reply" == ${second} || "reply-to" == ${second}
+ # drop client tcp socket still in time wait to clean up
${SUDO} tcpdrop \
${LOCAL_${addr}} `cat server.port` \
${FAKE_${addr}} `cat client.port`
-.endif
-.if "to" == ${second}
+.else # "to" == ${second}
+ # dropping the server tcp socket in time wait must remove the state
ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | \
egrep 'all ${proto} ${FAKE_${addr}}:?\[?'`cat server.port`\]?' .. ${LOCAL_${addr}}:?\[?'`cat client.port`'\]? '
ssh ${REMOTE_SSH} ${SUDO} tcpdrop \
${FAKE_${addr}} `cat server.port` \
${LOCAL_${addr}} `cat client.port`
- ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | \
- ! egrep 'all ${proto} ${FAKE_${addr}}:?\[?'`cat server.port`\]?' .. ${LOCAL_${addr}}:?\[?'`cat client.port`'\]? '
+ ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | ! \
+ egrep 'all ${proto} ${FAKE_${addr}}:?\[?'`cat server.port`\]?' .. ${LOCAL_${addr}}:?\[?'`cat client.port`'\]? '
.endif
.endif
+ # states must disappear after connected socket has been closed
+ ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | ${STATE_EXIST_${proto}_${second}} \
+ egrep ' (tcp|udp|254) ${FAKE_${addr}}[][0-9:]* .. ${LOCAL_${addr}}[][0-9:]* '
.endfor
.endfor